Generally, conventional technology for the association analysis of security events is restrictively applied to only the area of IT security apparatuses, for example, a fire wall, an intrusion detection system, an intrusion prevention system, anti-virus system, etc., or a physical security apparatus such as an access control system, etc. is partially applied to the IT security apparatuses in level of the conventional technology.
Security events generated in the security apparatuses are collected, normalized, and stored in a database. Whether there is an external intrusion is determined through the association analysis of the security events stored in the database.
However, since the conventional technology stores security events in a database and then analyzes association between the security events, it is difficult to detect an external intrusion and respond to the detected intrusion in real time. Also, since the conventional technology performs the association analysis of security events based on an Internet protocol (IP) address, it is difficult to analyze association between an IP address-based IT security event and a user identifier (ID)-based physical security event.